00:00 - Intro
00:49 - Start of nmap
02:17 - Talking about why dirbusting an API is different. Bruteforce methods instead of extensions and 404 doesn't terminate recursion
03:10 - Installing the latest version of FeroxBuster
04:40 - Running FeroxBuster with Force Recursion and multiple HTTP methods to discover user endpoints
06:45 - Downloading all users, creating a single json file, then using JQ to enable us to filter users
10:08 - Registering an account via the Signup endpoint. Analyzing errors to identify how it wants data
11:55 - Logging into the application in order to get a bearer token
13:08 - Using BurpSuite to add the Bearer Token to our HTTP Request and accessing /docs/
15:10 - Playing with the edit endpoint in the docs page
16:38 - Testing for Mass Assignment, by editing our profile but adding the is_superuser parameter
19:15 - Using the file endpoint to extract files from the application
20:45 - Creating a bash script to make extracting files easier for us
23:45 - Using the LFI to examine the /proc/ directory to get cmdline of pid and ppid, along with environment variables
26:35 - Examining the LFI Source Code to identify how the application works and JWT is created
30:50 - Trying to write files, discovering we need to edit our JWT
32:45 - Creating a bash script that will update the webserver code to include another endpoint to send a reverse shell
41:50 - Reverse shell returned, reviewing the logs to identify a password was entered as a username
44:00 - Trying to use Sudo and getting to PAM-Wordle
45:05 - Analyzing timestamps on the filesystem with find to identify a PAM Module that was manually placed on the file system (not put there by APT)
48:25 - Running strings on the PAM Module, discovering the wordlist used for wordle is in a user-readable directory
49:00 - Using the wordlist to cheat wordle and root the box
50:10 - Examining the source code of the box to identify why it is vulnerable to the Mass Assignment
Support the originator by clicking the read the rest link below.
